A worm targeting Linux-based systems running the Apache Web server and the OpenSSL secure Internet transaction protocol was discovered Friday evening in Eastern Europe and is spreading rapidly.

Officials of F-Secure Corp., a security software developer, said from Finland Monday morning that they've detected 11,200 affected systems, double the number they had detected less than 24 hours ago, prompting them to upgrade the worm to a Level 1, the highest level security threat in their classification system.

The worm, called Apache/mod_ssl, linux.slapper.worm or bugtraq.c worm, is self-propagating, malicious code that exploits a known vulnerability in OpenSSL. While that vulnerability isn't itself unique to Linux or Apache, this particular worm apparently targets only Linux systems running Apache, according to CERT, the organization that tracks computer security problems.

The worm operates like this: When it detects an Apache system, it attempts to send exploit code to the SSL service and, if successful, it places a copy of the malicious source code on the targeted server, where the attacking system attempts to compile and run it. Once infected, the target server begins scanning for additional hosts to continue propagating the worm. The worm can also act as an attack platform for distributed denial-of-service attacks against other sites by building a network of infected hosts, according to CERT.

F-Secure is monitoring the worm's spread by code it developed to pose as an infected machine and infiltrating the peer-to-peer network of servers that the worm has created. "The peer to peer network is used so the [worm] writer can control all the affected machines and launch a DoS attack," said Mikko Hypponen, manager of anti-virus research for F-Secure in Helsinki.

By infiltrating the peer-to-peer network, F-Secure has been able to track the number of infected systems.

F-Secure has confirmed infection reports from more than 100 countries, according to Hypponen. Heavily infected domains include .net and .com -- 1,600 .net hosts and 1,300 .com hosts -- meaning the virus has infected many machines in the U.S., though Hypponen couldn't confirm whether any DoS attacks had been launched.

One Linux user was on alert, and has already taken necessary steps to update its software infrastructure. California-based Antelope Valley Hospital deployed RedHat Software's patch on a Linux-based server it operates for third-party billing systems over the weekend, said Ash Shehata, director of information systems and telecommunications for the hospital. The hospital also is using the latest version of OpenSSL, which is not vulnerable to this particular attack. The hospital's third-party billing systems operates on a single, uniprocessor Dell server, Shehata said, adding that the hospital didn't detect any potential attacks.

The worm's source code is placed in /tmp/.bugtraq.c on infected systems.

CERT is also warning that it may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the target system.

CERT said the vulnerability exploited by the worm was fixed beginning with the OpenSSL version 0.9.6e, but a subsequent release has been issued, so administrators can upgrade to prevent the problem. More background is available at the CERT web site.

F-Secure also has a patch available at its Web site that can detect and stop the worm from entering a system, but the company still recommends upgrading to the more secure version of OpenSSL. The F-Secure patch is available at its Web site.